cosign
Safeguard articles tagged "cosign" — guides, analysis, and best practices for software supply chain and application security.
33 articles
How to Sign Container Images With Cosign: A Complete Guide
A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.
How to Generate an SBOM in a GitLab CI Pipeline
A working .gitlab-ci.yml for SBOM generation with Syft: CycloneDX report artifacts, a Grype scan stage, and Cosign attestations pushed next to the image.
How to Set Up Sigstore in Your Build Pipeline
Wire Sigstore into GitHub Actions end-to-end: OIDC identity, Cosign signing, Rekor transparency, and policy-controller enforcement — with working snippets.
How to Enforce Cosign Signatures in Kubernetes Admission
A hands-on tutorial for blocking unsigned container images at the Kubernetes admission layer using Cosign, Sigstore policy-controller, and keyless verification.
Container Image Signing with Cosign: A Practical Deep Dive
Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.
Sigstore Reaches GA: Free Software Signing for Everyone
Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why this is a watershed moment.
OCI Artifact Signing Standards: Making Sense of the Landscape
Container image signing has gone through multiple iterations. Here is where the OCI standards stand now and what you need to implement.
A First-Principles Guide to Artifact Signing in 2022
Artifact signing is having a moment, but most teams skip the fundamentals. Here is the first-principles case for why you sign, what you sign, and who verifies.
Sigstore and Cosign: Software Signing for the Rest of Us
Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rekor work together to verify software integrity.